The PCI SSC Latin America Forum took place this week in São Paulo, Brazil, gathering more than 350 payment security practitioners from Brazil and Latin America to discuss the latest in payment security and standards. Here we talk with Carlos Caetano, PCI SSC Associate Regional Director for Brazil about payment security trends, highlights from the Latin America Forum, and industry involvement opportunities for the region.
The state of payment security was a key theme in discussions at the Latin America Forum. What are some of the key threats and trends for the Brazil payment card industry?
Carlos Caetano: In terms of key threats and trends in the region, there’s a huge focus by cybercriminals on the card-not-present (CNP) space, and particularly organizations with large amounts of stored cardholder data that can be stolen and monetized on the dark web.
According to Trustwave GSR 2019, 66% of the compromises in Latin America are on e-commerce, and the methods used to compromise are attack vectors which OWASP added to their list of common security risks on 2010, including code injection, application exploits, file upload and SQL injection.
There is indeed a movement in Latin America towards investing in data devaluation solutions, such as tokenization, but no doubt that there’s still much work to be done.
A panel of Brazil Regional Engagement Board members shared experiences and insights on implementing and maintaining PCI DSS controls in their organizations. What were some of the key takeaways?
Carlos Caetano: The Brazil Regional Engagement Board has been very active this year, producing success case studies for PCI DSS adoption and Internal Security Assessor (ISA) training, as well as producing articles for assessor newsletters so our lessons learned here can be shared with Participating Organizations, assessors and others interested in PCI Standards around the world. Great takeaways came out from the panel, as I can summarize here:
- “PCI DSS is one of the most comprehensive security standards in the industry and can be applied to multiple areas.”
- “PCI DSS helps the organization by fostering a disciplined approach to the compliance process. It creates good visibility of the controls within senior leadership and provides a common vocabulary for the executives.”
- “Our PCI DSS program has helped us maintain all contracts with our clients and address new challenges with issuers, banks and acquirers.”
- “The program to implement and maintain PCI DSS compliance should be permanent and with proper empowerment and oversight. A PCI DSS program must be in the leadership agenda.”
- “Serving on the Brazil Regional Engagement Board is an enriching experience and a huge responsibility to represent the region's stakeholders. We have the mission to advise the PCI Council on the challenges of implementing standards and programs and provide feedback and advice.”
- “Serving on the Brazil Regional Engagement Board is a major experience to contribute with the Payment Card Industry in Brazil and have a voice to share our unique challenges and points."
- “Companies are finally realizing that a data devaluation strategy helps to reduce the attack surface. Tokenization models link a token to a merchant and a specific card, so this information lose relevance to an attacker.”
At the forum, you provided an update on PCI Standards and Programs. What do you see as some of the most relevant initiatives for Brazil right now?
Carlos Caetano: PCI DSS 4.0 is the most relevant initiative for Brazil now, since it is the standard most broadly adopted and which almost all payment card industry stakeholders here are working on. Secondly, the new PCI Qualified PIN Security Assessor (QPSA) Program is very relevant here, with many acquirers, processors and vendors dealing with PIN encryption and key management procedures. The PCI Software Security Framework (SSF) is also a priority initiative for stakeholders in Brazil, with software vendors specifically interested in the greater flexibility the Secure SLC Standard offers for validating minor changes to their payment software products. Lastly, the Associate QSA Program is gaining traction in Brazil as well, with a number being trained during our QSA training class earlier this month.
In your role, a key focus is working to increase industry participation from Brazilian stakeholders in the PCI Security Standards Council. What are some of the key opportunities for involvement?
Carlos Caetano: The first one is to become a Participating Organization, which provides the opportunity to actively participate in and contribute to the Council’s payment security initiatives globally and in Brazil, and to stay informed on Council news and updates through exclusive PCI SSC communications such as the PCI Monitor, and events, such as the Latin America Forum (LAF) and exclusive pre-conference event. Key involvement opportunities for Participating Organizations in the remainder of 2019 include nominating and serving on the Brazil Regional Engagement Board (2020/2021 term); reviewing draft standards in development and providing feedback on them via the request for comments (RFC) process (including PCI DSS 4.0 and PCI PTS POI 6.0); and submitting proposals for 2020 Special Interest Groups (SIGs).
We are seeing growth of involvement and interest in the PCI SSC and PCI Standards in Brazil since 2016, but we need more stakeholders engaged and active in the ongoing effort to secure cardholder data.
Also on the blog: PCI SSC in Brazil: New Regional Engagement Board for 2019